Encrypt a file for GitHub Actions

Published on Dec. 18, 2021 by Gabriel Bordeaux

Introduction

You can encrypt files containing secrets that you want to use in GitHub Actions with GPG and decode them with a passphrase stored securely in your GitHub settings.

Encrypt file with GPG

Encrypt the file with GPG:

gpg --symmetric --cipher-algo AES256 some_file.json

If you do not have GPG installed, on a Mac, you can download the GPG suite

Store the password as a GitHub secret

In the GitHub repository, visit "Settings" > "Secrets", click on "New Repository Secret".

Set the name to GPG_PASSPHRASE or something similar, add the password and save.

Optionally drop the old cluster and uninstall the old version of PostgreSQL

Add a stage to your GitHub action to decrypt the file:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - name: Decrypt GPG file
        run: |
          gpg --quiet --batch --yes --decrypt --passphrase="${{ secrets.GPG_PASSPHRASE }}" --output /path/to/some_file.json some_file.json.gpg